By Barnard Crespi
If your organization is accepting credit cards over the phone as a form of payment for services, you MUST be PCI Compliant.
The way healthcare providers take payment with credit cards is undergoing significant and continuous change as a result of the Payment Card Industry (PCI) security requirements, and the efforts of PCI Security Standard Council to secure credit card holder information. What used to be accepted practices, are now being changed with much more restrictive measures to ensure that credit cardholder information is protected. This industry transformation is impacting how healthcare providers take and process payments over the phone.
When your patients are calling you to pay for services over the phone, you are responsible for securing your patient’s credit card information while you are collecting and transmitting this highly sensitive information. You must ensure that all credit card collection and transmission points, your staff, phone systems, software solutions, network segments, and data storage solutions comply with the PCI security standards. This includes any wired, wireless, private, and public networks. Security starts at the point where payment card information is collected whether it is given to an employee of your organization over the phone, mailed in, in person to the cashier, or entered into an electronic device.
When you have staff interacting with your patients credit card information, the people, systems and processes that accept and process payment cards, must comply with PCI standards. Any person or system that touches or stores in text or voice, credit card data is subject to PCI compliance. This includes all your manual and automated systems.
At the top of your watch list:
- Ensure that all employees who handle credit card payments adhere to an information security policy which is PCI compliant.
- Ensure that all systems including your PBX (VoiP), PCs, switching equipment, network servers, routers, and software are fully PCI compliant.
- Ensure that transmission of cardholder data across your networks and on to public networks is encrypted.
- DO NOT store sensitive authentication data (CVV / CVC code)
- Try not to store credit card numbers. If you need to store it, make sure all stored credit card data (card number) is rendered unreadable (encrypted) at all times.
- Ensure you have an appropriate data retention policy in place and followed. All disposal of stored card data should be done in a secured manner.
And the list goes on.
The cost of managing payment security is becoming of greater concern to healthcare providers, as the measures to protect credit card holder information and adherence to payment card industry security requirements are becoming stricter. To help manage the costs of payment security, organizations have two options, (a) managing payment security in-house by retrofitting their organization or (b) outsourcing payment related components that can minimize their risk. Understanding the impact of a payment security approach to overall payment security management costs, requires an analysis of processes, infrastructure, and technology costs, as well as the cost of personnel. Choosing the right approach is paramount.
One such solution that can help healthcare providers manage their costs of PCI Compliance effectively is by implementing a secure Pay-By-Phone solution by a PCI Compliant service provider. This approach removed the handling of sensitive credit card information away from staff.
At Datatel, we help businesses solve this problem, by delivering a Pay-By-Phone solution on the cloud which removes the handling of all credit card information by staff typically tasked with taking calls from patients and handling other forms of unsecured credit card transactions. Datatel’s CryptolVR Pay-By-Phone is the most robust, cost-effective, and easy to deploy IVR Payment platform on the Cloud to process Credit Card payments 24/7, in a PCI compliant environment.
Datatel has been providing Pay-By-Phone solutions on the Cloud to hundreds of businesses, healthcare providers, governments, and not-for-profit organizations for over ten years.
Implementation is quick and simple with industry-specific templates.
When reviewing your PCI compliance we recommend contacting your merchant service provider who will be able to guide you with resources and expert assistance to meet your specific PCI compliance requirements.